SAP Cyber Threat Intelligence report – April 2019

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

The set for April 2019 consists of 13 security notes.

This month, Missing Authorization Check stays the most common vulnerability type.

SAP NetWeaver Java platform has the largest number of vulnerabilities fixed this month.

SAP Security Notes – March 2019

SAP has issued the monthly patch release for April 2019. This set has 13 SAP Security Notes. The highest CVSS base score is 7.5 out of 10.

Two notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Below is a chart that illustrates the SAP security notes distribution by priority.

Three notes are updates to the previous security note release. One of them received Hot News priority rating.

The most severe security issue was assessed at 7.5 by CVSS base score.

This time, Missing Authorization Check is still the largest group in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – April 2019

Most of the vulnerabilities belong to the SAP NetWeaver Java platform, as a pie chart shows below.

Affected Platforms – April 2019

SAP users are recommended to implement security patches as they are released. It helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in March 2019

The following SAP Security Notes can fix the most severe vulnerabilities of this update:

2687663 SAP Crystal Reports have an Information Disclosure vulnerability (CVSS Base Score: 7.5; CVE-2019-0285 ). An attacker can use it to reveal additional information (system data, debugging information, etc.), which will help learn about a system and plan further attacks.

2747683 SAP NetWeaver Java Application Server has a Spoofing attack vulnerability (CVSS Base Score: 7.1; CVE-2019-0283). A malicious actor can use this vulnerability to show the user illegal data. Spoofing attack allows changing the sender information, data displayed on a page, and other important information.

2643447 ABAP Server File Interface has a Directory Traversal vulnerability (CVSS Base Score: 6.3). An attacker can use it to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.